Sunday, December 24, 2017

Book Review: On Cyber: Towards An Operational Art for Cyber Conflict

Annoyingly and ironically this book is only available in paperback, and not in electronic format.

I spent Christmas Eve on the beach re-reading this book. Moments later these same seagulls issued a flank attack that stole my apple pastry from me. :(

So I went through this book carefully looking for serious flaws. I came up with a few minor issues instead. But this and Matt Monte's book are the books that should be getting read by teams looking to get up to speed from a military angle. Maybe I would add Relentless Strike as well.

The reason this book works is that resume matters. You don't see tons of quotes from the authors stolen from the traditional canon of B.S. policy papers or Wired magazine articles. Nothing in this book is quoting a NY Times article that everyone in the know already has discounted as a disinformation effort via targeted leaks.

I'm not saying this to be harsh - but it's a fact that almost all the books in this space suffer from a lack of experience in the area. These authors know what they're talking about in both of the domains this book straddles and it would be clear even if you didn't know who they were. The book quotes Dual Core and Dan Geer as easily as Clausewitz.

If there are gaps in the book, they are in a failure to go the extra mile philosophically to avoid ruffling feathers in the policy world. What does it mean that cyber operations can engage in N-dimensional flanking operations? They often point to contentious issues with regards to how traditional thought runs without directly naming and shaming. Tell me again how the US copyright regime is in some way different technologically from the Chinese effort against Falun Gung?

When it comes to predictions, the book fails to predict the worm revolution we're in now and is heavily focused on AI and scale, since the US military is so focused on C2-based operations, but that's a myopia that can only be corrected after operational planners have mastered the basics of maneuver in cyber. It's a US focused book, but what else would you expect?

The book also could use more direct examples than it has - if for no other reason than because they push the concepts better than raw text does. They get close to adopting the offensive community's definition of a cyber weapon, but fail to mention Wikileaks, for example. What is a click-script? Why do they exist? I want to ask this book just to have it written down in a way that future operators need to see. There are real gaps here and I'm not sure if they're intentional efforts at abstraction.

A good cyber operations class for future officers, in the US military and beyond, would do well to expand upon this book's chapters with direct examples from their own experience. But even if all they do is assign this book as required reading, they'll have done pretty well.